SharpView: https://github.com/tevora-threat/SharpView (aggressor https://github.com/tevora-threat/PowerView3-Aggressor)

PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 (tips https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) (dev: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)

ADModule: https://github.com/samratashok/ADModule (To use ActiveDirectory module without installing RSAT, we can use Import-Module for the valid ActiveDirectory module DLL)


Get Domain

Get-NetDomain -Domain domain.local

Get Domain SID

Get-DomainSID -Domain domain.local

Get Domain Policy

(Get-DomainPolicy)."system access"
(Get-DomainPolicy –domain moneycorp.local)."system access"

Get DCs

Get-NetDomainController –Domain moneycorp.local 


Get a list of users in the current domain

Get-NetUser –Username student1

Get a list of all properties for users within domain

# Lists all properties available

# Gets the value of a property for all users in domain
Get-UserProperty –Properties pwdlastset 

Search for particular string in users attribute

Find-UserField -SearchField Description -SearchTerm "built" 


Get all groups in current domain

Get-NetGroup –Domain <targetdomain> 
Get-NetGroup –FullData 

Get all groups containing admin in current domain

Get-NetGroup *admin* 

Get members of domain admin group

Get-NetGroupMember -GroupName "Domain Admins" -Recurse 

Get the group membership for a user

Get-NetGroup –UserName "student1" 

Computers / Sessions

Get a list of computers in current domain

Get-NetComputer –OperatingSystem "*Server 2016*" 
Get-NetComputer -Ping 
Get-NetComputer -FullData

List all local groups on a machine (needs admin privs to query non-dc machines)

Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -ListGroups

List members of local groups on a machine (needs admin privs on non-dc machines)

Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -Recurse

Get actively logged on users on target (needs admin rights on target)

Get-NetLoggedon –ComputerName <servername>

Get locally logged on users on target (needs remote registry enabled (started by default on servers))

Get-LoggedonLocal -ComputerName dcorpdc.dollarcorp.moneycorp.local

Get the last logged on user on target (needs admin rights and remote registry enabled)

Get-LastLoggedOn –ComputerName <servername>


Find shares on hosts in current domain

Invoke-ShareFinder –Verbose

Find sensitive files on computers within domain

Invoke-FileFinder –Verbose

Get all file servers of domain



Get list of GPO in current domain

Get-NetGPO -ComputerName dcorpstudent1.dollarcorp.moneycorp.local 

Get GPO which use restricted groups or groups.xml for interesting users


Get users which are in a local group of a machine using GPO

Find-GPOComputerAdmin –Computername dcorpstudent1.dollarcorp.moneycorp.local

Find machines where given user is a member of a specific group

Find-GPOLocation -UserName student1 -Verbose

Get OUs in a Domain

Get-NetOU -FullData 

Get GPO applied on an OU

Get-NetGPO -GPOname "{AB306569-220D-43FF-B03B83E8F4EF8081}"


Get ACLs associated with a specific object

Get-ObjectAcl -SamAccountName student1 –ResolveGUIDs
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose 
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose

Search for interesting ACEs

Invoke-ACLScanner -ResolveGUIDs

Get the ACLs associated with the specified path

Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"


Domain Trust Mapping

Get-NetDomainTrust –Domain us.dollarcorp.moneycorp.local

Forest Mapping

Get-NetForest –Forest eurocorp.local 

Get all domains in current forest

Get-NetForestDomain –Forest eurocorp.local

Get all global catalogues for the current forest

Get-NetForestCatalog –Forest eurocorp.local 

Map trusts of a forest

Get-NetForestTrust –Forest eurocorp.local 


Find all machines on the current domain where the current user has local admin access (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine. Logon events for all machines, loud!)

Find-LocalAdminAccess –Verbose

Alternative: Find-WMILocalAdminAccess.ps1

Find local admins on all machines of the domain (needs administrator privs on non-dc machines). (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.)

Invoke-EnumerateLocalAdmin –Verbose

Find computers where a domain admin (or specified user/group) has sessions. (This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine).

Invoke-UserHunter -GroupName "RDPUsers"

Confirm admin access

Invoke-UserHunter -CheckAccess

Find computers where a domain admin is logged-in. (This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using GetNetGroupMember, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.)

Invoke-UserHunter -Stealth


Unconstrained Delegation

Get-NetComputer -UnConstrained
Get-DomainUser -AllowDelegation -AdminCount

Constrained Delegation

Get-DomainUser –TrustedToAuth 
Get-DomainComputer –TrustedToAuth

ASREP Roasting

Get-DomainUser -PreauthNotRequired -Verbose

Clear Passwords

$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl

Last updated